Up to [cvs.NetBSD.org] / pkgsrc / security / lasso
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
*: recursive bump for icu 76 shlib major version bump
*: revbump for icu downgrade
*: recursive bump for icu 76.1 shlib bump
revbump after icu and protobuf updates
*: recursive bump for icu 74.1
*: bump for openssl 3
*: recursive bump for Python 3.11 as new default
revbump after textproc/icu update
massive revision bump after textproc/icu update
*: Revbump packages that use Python at runtime without a PKGNAME prefix
*: recursive bump for perl 5.36
lasso: fix PLIST for fixed gtk-doc and depend on it. Bump PKGREVISION.
lasso: fix the build with inkscape installed Basically lasso installs additional files when Inkscape is available, which it would normally re-generate but are already in the source tree. This unconditionally caches "/bin/false" as the path to Inkscape, which: * will always behave the same (install the missing files) * will break if they ever have to be re-generated (thus exposing the issue directly, which is a good thing) In addition since lasso can provide additional documentation when gtk-doc is installed, I have enabled this by default as well. Bumps PKGREVISION. Reviewed by manu@, thanks!
revbump for textproc/icu update
revbump for icu and libffi
Update lasso to 2.7.0 Changes from 2.6.1, from the NEWS file 2.7.0 - June 1st 2021 ---------------------- 36 commits, 45 files changed, 1945 insertions, 177 deletions * CVE-2021-28091: Fix signature checking on unsigned response with multiple assertions https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28091 When AuthnResponse messages are not signed (which is permitted by the specifiation), all assertion's signatures should be checked, but currently after the first signed assertion is checked all following assertions are accepted without checking their signature, and the last one is considered the main assertion. This patch : * check signatures from all assertions if the message is not signed, * refuse messages with assertion from different issuers than the one on the message, to prevent assertion bundling event if they are signed. * Python: improve display of warnings in the binding generator * replace deprecated index() by strchr() (#51385) * Fix: new provider reference count is incremented one time too many (#51420) * docs: update gtk-doc-tools integration (#50441) * bindings: disable java tests when java is disabled * Fix: python3 bindings (#51249) * configure.ac: disable java bindings * build: update to use origin/main * debian: add packaging for debian-buster * jenkins.sh: build against all available python versions (#44287) * python: do not leak out_pyvalue if method call protocol is not respected (#44287) * python: do not raise in valid_seq() (#44287) * python: return NULL if get_list_of_strings() fails (#44287) * python: return NULL if get_list_of_pygobject fails (#44287) * python: return NULL if get_list_of_xml_nodes fails (#44287) * python: return NULL if set_list_of_pygobject fails (#44287) * python: return NULL if set_list_of_xml_nodes fails (#44287) * python: return NULL if set_list_of_strings fails (#44287) * python: return NULL if set_hashtable_of_strings fails (#44287) * python: return NULL if set_hashtable_of_pygobject fails (#44287) * python: free internal string buffer if needed in set_list_of_strings (#44287) * python: check if hashtable is NULL before deallocatio (#44287)n * python: add a failure label to method wrappers (#44287) * python: add macro for early return (#44287) * python: remove newline before method call (#44287) * python: simplify get_logger_object (#44287) * python: fix warning about discarded const modifier (#44287) * python: replace exception by warning on logging path (#44287) * python: use simpler call format to prevent warning about PY_SSIZE_T_CLEAN (#44287) * python: remove deprecated PyErr_Warn (#44287) * python: remove unused PyString_Size (#44287) * python: Exception.message was removed in python3 (#45995) * tools: reimplement xmlURIEscapeStr to respect RFC3986 (#45581) * configure.ac: support php7 interpreter on CentOS 8 (#42299)
*: recursive bump for perl 5.34
revbump for textproc/icu
Revbump packages with a runtime Python dep but no version prefix. For the Python 3.8 default switch.
*: Recursive revbump from textproc/icu-68.1
*: bump PKGREVISION for perl-5.32.
Updated security/lasso to 2.6.1 Changes since previous pkgsrc version 2.5.1, from the NEWS file Also add a fix for proper escape single quotes in RelayState From upstream https://dev.entrouvert.org/issues/45581 2.6.1 - Aptil 22th 2019 ---------------------- 42 commits, 425 files changed, 3894 insertions, 795 deletions - Keep order of SessionIndexes - Clear SessionIndex when private SessionIndexes is empty (#41950) - misc: clear warnings about class_init signature using coccinelle - tests: fix compilation with check>0.12 (#39101) - Sort input file lists to make build deterministic (#40454) - debian: disable php7 (#28608) - Modify .gitignore for PHP 7 binding (#28608) - Add PHP 7 binding (#28608) - Fix tests broken by new DEBUG logs (#12829) - Improve error logging during node parsing (#12829) - Improve configure compatibility (#32425) - Improve compatibility with Solaris (#32425) - Fix reference count in lasso_server_add_provider2 (fixes #35061) - Fix python multi-version builds on jessie and stretch - docs: do not use Internet to fetch DTDs, entities or documents (#35590) - fix missing include <strings.h> for index() (fixes #33791) - PAOS: Do not populate "Destination" attribute (Dmitrii Shcherbakov) - export symbol lasso_log (#33784) - Do not ignore WantAuthnRequestSigned value with hint MAYBE (#33354) - Use io.open(encoding=utf8) in extract_symbols/sections.py (#33360) - xml: adapt schema in saml2:AuthnContext (#29340) - Fix ECP signature not found error when only assertion is signed (#26828) - autoconf: search python interpreters by versions (John Dennis) - python: make tools compatible with Py3 (John Dennis) - python: run tests and tools with same interpreter as binding target (John Dennis) - improve resiliency of lasso_inflate (#24853) - fix segfault in lasso_get_saml_message (#24830) - python: add classmethod Profile.getIssuer (#24831) - website: add news about 2.6.0 release - debian: sync with debian package (#24595) - faq: fix references to lasso.profileGetIssuer (#24832) - python: add a classmethod for lasso.profileGetIssuer (#24831) - tools: fix segfault in lasso_get_saml_message (fixes #24830) - jenkins.sh: add a make clean to prevent previous build to break new ones - tools: set output buffer size in lasso_inflate to 20 times the input size (fixes #24853) - Use python interpreter specified configure script - Make Python scripts compatible with both Py2 and Py3 - fix duplicate definition of LogoutTestCase and logoutSuite - Downcase UTF-8 file encoding name - Make more Python scripts compatible with both Py2 and Py3 - Configure should search for versioned Python interpreter. - Clean python cache when building python3 binding - Move AC_SUBST declaration for AM_CFLAGS with alike (#24771) - Remove -Werror from --enable-debugging (fixes #24771) - xml: fix parsing of saml:AuthnContext (fixes #25640) 2.6.0 - June 1st 2018 --------------------- 32 commits, 73 files changed, 1920 insertions, 696 deletions - add inline implementation of lasso_log - Choose the Reference transform based on the chosen Signature transform (fixes #10155) - add support for C14N 1.1 methods and C14N withComments methods (fixes #4863) - remove DGME specific commented out code - add docstring on SHA-2 signature method enum - tests: silence unused variable warning - check node names in lasso_node_impl_init_from_xml() (fixes #47) - fix segfault when parsed node has no namespace (#47) - do not call xmlSecKeyDuplicate is source key is NULL - enable user supplied CFLAGS - Fix ecp test validate_idp_list() (fixes #11421) - tests: convert log level as string - fix definitions of error, critical and warning macros (fixes #12830) - jenkins.sh: add V=1 - add defined for the XML namespace - ignore unknown attributes from the xsi: namespace - saml-2.0: improve support for free content inside samlp2:Extensions (fixes #18581) - debian: initialize stretch packaging with a copy of upstream debian (#21772) - replace use of <xmlsec/soap.h> which is deprecated (fixes #18771) - fix get_issuer and get_in_response_to - route logs from libxml2 and libxmlsec through GLib logging - tests: prevent crash in glib caused by abort on recursive logging - java: stop setting a bytecode version target - add xmlsec_soap.h to Makefile - python: route logs for libxml2 and libxmlsec2 to their own logger - perl: force use of the in-tree lasso when running tests (fixes #23276) - perl: set DESTDIR and PREFIX at Makefile's creation - Replace xmlSecSoap functions with lasso implementations - add a pem-public-key runtime flag - deprecate loading PEM formatted public keys in lasso_xmlsec_load_key_info - perl/tests: build Makefile.perl before running the tests
Revbump for icu
*: recursive bump for libffi
*: Recursive revision bump for openssl 1.1.1.
security: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections.
Changed PYTHON_VERSIONS_INCOMPATIBLE to PYTHON_VERSIONS_ACCEPTED; needed for future Python 3.8
Bump PKGREVISIONs for perl 5.30.0
fix some whitespace, mostly introduced in the previous python 3.4 / 3.5 removal commit.
Omit mentions of python 34 and 35, after those were removed. - Includes some whitespace changes, to be handled in a separate commit.
Removed commented-out PKGREVISIONs
Recursive bump for perl5-5.28.0
extend PYTHON_VERSIONS_ for Python 3.7
Add python-3.6 to incompatible versions.
Remove python33: adapt all packages that refer to it.
Bump PKGREVISION for perl-5.24.0 for everything mentioning perl.
Update lasso to 2.5.1 Changes since 2.4.1 from NEWS file: 2.5.1 - February 19th 2016 --------------------------- 17 commits, 16 files changed, 1096 insertions, 42 deletions - Add missing urn constants used in PAOS HTTP header - Set NotBefore in SAML 2.0 login assertions - tests: fix leak in test test16_test_get_issuer - id-ff: fix leak of profile->private_data->message_id - saml-2.0: fix leak of message_id in lasso_profile_saml20_build_paos_request_msg - tests: fix leaks in test_ecp - xml: fix wrong termination of comment - xml: fix leak in lasso_soap_envelope_new_full - profile: fix leak of private idp_list field - saml-2.0: fix leaks of url - tests: fix leak - tests: update valgrind suppressions - perl: remove quotes from $PERL -V::ccflags: output (#9572) - Fix wrong snippet type (fixes #9616). Thanks to Brett Gardner for the patch. - tools.c: use correct NID and digest length when building RSA signature using SHA-2 digest (fixes #10019) Thanks to Brett Gardner for the patch. - bindings/php5: fix enum getters and setters (fixes #10032). Thanks to Brett Gardner for the bug report. - fix warning about INCLUDES directive 2.5.0 - September 2nd 2015 -------------------------- 151 commits, 180 files changed, 8391 insertions, 1339 deletions - lots of bugfixes (reported by static analysis tools like clang, coverity and manual inspection) thanks to Simo Sorce and John Dennis from RedHat - xsd:choices are now parsed correctly by implementing a real finite automata for parsing XML documents. New flag for jumping forward and backward in schema snippets have been added. It fixes parsing of message from third party not following the ordre from the schema (they are entitled to do it but most SAML implementations do not) - added C CGI examples for SP and IdP side - removed the _POSIX_SOURCE declaration - added support for the SHA-2 family of hash functions - fixed protocol profile selection when parsing AuthnRequest - added support for Python 3, thanks to Houzefa Abbasbhay from XCG Consulting - fixed default value of WantAuthnRequestSigned in metadata parsing - SAML 2.0 ECP is now functionnal, thanks to John Dennis from RedHat - added two new API function to LassoProfile to extract the Issuer and InResponseTo attribute of messages, allowing pre-treatment before parsing the message, to load the metadata of the remote provider, or find the request which the response matches. - fixed segfault when parsing HTTP-Redirect marlformed base64 content - added support for automake 1.15 (jdennis)
Bump PKGREVISION for security/openssl ABI bump.
Extend PYTHON_VERSIONS_INCOMPATIBLE to 35
Recursive PKGREVISION bump for all packages mentioning 'perl', having a PKGNAME of p5-*, or depending such a package, for perl-5.22.0.
Mark as not ready for python-3.x. Some cleanup.
Upgrade lasso to 2.4.1 to fix CVE-2015-1783, approved by wiz@ NEWS from last pkgsrc version: 2.4.1 - Septembre 28th 2014 --------------------------- 56 commits, 35 files changed, 12590 insertions(+), 31117 deletions(-) - fix bug #4455 runtime bug in perl binding on debian wheezy 32bits # - fix warning on g_type_init() on GLib > 2.36 - lot of null pointer, boundary checks, and dead code removal after validation using Coverity and Clang static analyzer (Simo Sorce) - always set NotOnOrAfter on the Condition element - fix pkg-config typo (Simon Josefsson) - Python binding now conserve the order of session indexes values - fix memory leaks - Python bindings now automatically convert unicode values to UTF-8 2.4.0 - January 7th 2014 ------------------------ 281 commits, 933 files changed, 45384 insertions, 6313 deletions Minor version number increase since ABI was extended (new methods). - Key rollover support: Lasso is now able to accept messages signed by any key declared as a signing key in a metadata and not just the last one. You can also decrypt encrypted nodes using any of a list of private keys, allowing roll-over of encryption certificates. Signing key roll-over is automatic, your provider just have to provide the new signing key in their metadata. For multiple-encryption key you can load another private key than the one loaded in the LassoServer constuctor with code like that: >>> import lasso >>> server = lasso.Server(our_metadata, first_private_key_path) >>> server.setEncryptionPrivateKey(second_private_key_path) See the FAQ file for the workflow of a proper key roll-over. - Partial logout response now produces a specific error code when parsed by lasso_logout_process_response_msg() - Bugs in lasso_assertion_query_build_request_msg() were fixed - Processing of assertions is not stopped when checking that first level status code is not success, so that later code can check the second level status code. - A new generic error for denied request was added, LASSO_PROFILE_ERROR_REQUEST_DENIED - A new API lasso_server_load_metadata() was added to load federation files (XML files containing metadata from multiple providers) and to check signatures on them. - Better warning and errors are reported in logs when failing to load a metadata file. - Bugs around missing namespace declaration for dump file were fixed, it prevented reloading dumped object (like LassoLogin). - lasso_node_get_xml_node_for_any_type() must be able to copy the content of an XML node to another (namespace, attribute and children). It did not, now it is fixed. It can be used for example to add specific attribute like xsi:type="string" to a Saml2AttributeValue. Here is a python snippet to do that: >>> import lasso >>> a = lasso.Saml2AttributeValue() >>> a.setOriginalXmlnode('<Dummy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="string">Value</Dummy>') >>> print a.debug(0) <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="string">Value</saml:AttributeValue> - support for symetric keys signatures: for a long time XMLDsig standard has supported HMAC signature, or signature based on a shared secret key an hash algorithm. Lasso now supports to share a key with another Lasso using service or identity provider and to verify and sign SAML exchange using this key. Performance can be 100 times more than with assymetric cryptography, i.e. RSA. - nodes able to hold any XML attribyte (like saml:AttributeValue) contains a hashtable to for holding those attributes, those hashtable have a new syntax for attributes of another namespace than the current node namespace, inspired by the Python ElementTree library: {the_namespace}the_attribute_name ex: {http://www.w3.org/2001/XMLSchema-instance}type for the classic xsi:type attribute. - xmldsig:X509Data node now possess a binding as a Lasso object. You can use it combined with the new class LassoSaml2KeyInformationDataType to use the holder-of-key subject confirmation method. - The perfs benchmarking tools now allows to select a different metadata set (for example to test with different public key sizes). - Perl minimal version for the binding was downgraded to 5 - pseudo-XSchema validation: the new XML deserializer does more to enforce constraints of the schema defining SAML messages. It means Lasso is less forgiving with non-conform implementation of SAML. - thin-sessions mode: A new flag was added named thin-session, you can set it using lasso_set_flag("thin-sessions") or by setting the LASSO_FLAG environement variable to the string "thin-sessions". The effect of this flag is to remove complete storage of assertions in the LassoSession object, which was made mainly to support logout and the artifact binding for ID-FF 1.2. A new thinner structure is used for supporting logout, and ID-FF 1.2 can now use the same storage mechanism as the SAML 2 implementation for the artifact binding (i.e. using lasso_profile_get_artifact_message after artifact generation and lasso_profile_set_artifact_message before artifact retrieval). - better initialization and access to SessionIndex in logout requests: LassoSession now store all generated SessionIndex for a session using a small structure, using it the LassoLogout profile can now initialize LassoLogout message with all of them. It's not necessary to implement this functionnalitý in your service or identity provider anymore. - new LassoKey object: this new class was introduced to simplify management of keys when using shared key signature. But you can also use it to load assymetric keys. In the future it should gain API to do XML signature and encryptiong independently of any SAML 2.0 or ID-FF 1.2 exchange. Providing the first simple binding of libxmlsec to Python. - Improvements to autoconf and automake files to compile under Darwin (Mac Os X) and Fedora. - a FAQ file was started. - added API: LASSO_LOGOUT_ERROR_PARTIAL_LOGOUT LASSO_PROFILE_ERROR_ENDPOINT_INDEX_NOT_FOUND LASSO_PROFILE_ERROR_REQUEST_DENIED LASSO_PROVIDER_ROLE_ALL LASSO_SERVER_ERROR_NO_PROVIDER_LOADED LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITIES_DESCRIPTOR_SIGNATURE LASSO_SERVER_LOAD_METADATA_FLAG_CHECK_ENTITY_DESCRIPTOR_SIGNATURE LASSO_SERVER_LOAD_METADATA_FLAG_DEFAULT LASSO_SERVER_LOAD_METADATA_FLAG_INHERIT_SIGNATURE LASSO_SIGNATURE_METHOD_HMAC_SHA1 LASSO_SIGNATURE_METHOD_NONE LASSO_XMLENC_ERROR_INVALID_ENCRYPTED_DATA LASSO_XMLENC_HREF LASSO_XMLENC_PREFIX struct LassoDsX509Data { LassoDsX509DataPrivate* private_data } struct LassoKey { LassoKeyPrivate* private_data } struct LassoSaml2KeyInfoConfirmationDataType { LassoSaml2KeyInfoConfirmationDataTypePrivate* private_data } LassoServerLoadMetadataFlag LassoDsX509Data* lasso_ds_key_value_get_x509_data ( LassoDsKeyValue* key_value ) None lasso_ds_key_value_set_x509_data ( LassoDsKeyValue* key_value, LassoDsX509Data* x509_data ) const char* lasso_ds_x509_data_get_certificate ( LassoDsX509Data* x509_data ) const char* lasso_ds_x509_data_get_crl ( LassoDsX509Data* x509_data ) const char* lasso_ds_x509_data_get_subject_name ( LassoDsX509Data* x509_data ) GType lasso_ds_x509_data_get_type ( ) LassoDsX509Data* lasso_ds_x509_data_new ( ) None lasso_ds_x509_data_set_certificate ( LassoDsX509Data* x509_data, const char* certificate ) None lasso_ds_x509_data_set_crl ( LassoDsX509Data* x509_data, const char* crl ) None lasso_ds_x509_data_set_subject_name ( LassoDsX509Data* x509_data, const char* subject_name ) GType lasso_key_get_type ( ) LassoKey* lasso_key_new_for_signature_from_base64_string ( char* base64_string, char* password, LassoSignatureMethod signature_method, char* certificate ) LassoKey* lasso_key_new_for_signature_from_file ( char* filename_or_buffer, char* password, LassoSignatureMethod signature_method, char* certificate ) char* lasso_key_query_sign ( LassoKey* key, const char* query ) lasso_error_t lasso_key_query_verify ( LassoKey* key, const char* query ) xmlNode* lasso_key_saml2_xml_sign ( LassoKey* key, const char* id, xmlNode* document ) lasso_error_t lasso_key_saml2_xml_verify ( LassoKey* key, char* id, xmlNode* document ) GList* lasso_lib_logout_request_get_session_indexes ( LassoLibLogoutRequest* lib_logout_request ) None lasso_lib_logout_request_set_session_indexes ( LassoLibLogoutRequest* lib_logout_request, GList* session_indexes ) lasso_error_t lasso_provider_add_key ( LassoProvider* provider, LassoKey* key, gboolean after ) lasso_error_t lasso_provider_set_server_signing_key ( LassoProvider* provider, LassoKey* key ) int lasso_provider_verify_signature ( LassoProvider* provider, const char* message, const char* id_attr_name, LassoMessageFormat format ) GList* lasso_saml2_key_info_confirmation_data_type_get_key_info ( LassoSaml2KeyInfoConfirmationDataType* kicdt ) GType lasso_saml2_key_info_confirmation_data_type_get_type ( ) LassoNode* lasso_saml2_key_info_confirmation_data_type_new ( ) None lasso_saml2_key_info_confirmation_data_type_set_key_info ( LassoSaml2KeyInfoConfirmationDataType* kicdt, GList* key_infos ) gboolean lasso_saml_name_identifier_equals ( LassoSamlNameIdentifier* a, LassoSamlNameIdentifier* b ) lasso_error_t lasso_server_add_provider2 ( LassoServer* server, LassoProvider* provider ) lasso_error_t lasso_server_load_metadata ( LassoServer* server, LassoProviderRole role, const gchar* federation_file, const gchar* trusted_roots, GList* blacklisted_entity_ids, GList** loaded_entity_ids, LassoServerLoadMetadataFlag flags ) GList* lasso_session_get_assertion_ids ( LassoSession* session, const gchar* providerID ) GList* lasso_session_get_name_ids ( LassoSession* session, const gchar* providerID ) GList* lasso_session_get_session_indexes ( LassoSession* session, const gchar* providerID, LassoNode* name_id )
Bump for perl-5.20.0. Do it for all packages that * mention perl, or * have a directory name starting with p5-*, or * depend on a package starting with p5- like last time, for 5.18, where this didn't lead to complaints. Let me know if you have any this time.
Recursive PKGREVISION bump for OpenSSL API version bump.
Enforce -D_POSIX_C_SOURCE=199506 so that strtok_r() is defined by <string.h>, otherwise the compiler assumes it returns an int, and it breaks on LP64 machines.
Recursive PKGREVISION bump for libgcrypt-1.6.0 shlib major bump.
Bump all packages for perl-5.18, that a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints.
PKGREVISION bumps for the security/openssl 1.0.1d update.
recursive bump from cyrus-sasl libsasl2 shlib major bump.
Fix double free in patch for libxml 2.9.0 support
Don't use nested functions. Bump revision.
Bump all packages that use perl, or depend on a p5-* package, or are called p5-*. I hope that's all of them.
recursive bump from libffi shlib major bump (additionaly, reset PKGREVISION of qt4-* sub packages from base qt4 update)
Recursive PKGREVISION bump for libxml2 buildlink addition.
Recursive bump for pcre-8.30* (shlib major change)
Revbump for a) tiff update to 4.0 (shlib major change) b) glib2 update 2.30.2 (adds libffi dependency to buildlink3.mk) Enjoy.
Do not use nested functions. Add missing prototypes. Bump revision.
recursive bump from gettext-lib shlib bump.
Major update, with many changes that ould be difficult to sum up. Please see the NEWS file.
Use bsdtar for extract, or result in corrupted file name with certain tar. Bump PKGREVISION.
Recursive PKGREVISION bump for jpeg update to 8.
Pullup single logout related bugfixes from lasso -current. On SP initiated logout, the SP x509 certificate was included in the HTTP redirect URL. First this was an SAML standard violation, and second it inflated the URL beyond 2038 bytes, which is the maximum length for IE7 and prior. As a result, SP initated single logout was broken with IE7 and prior versions.
Two bugfixes pulled from upstream: - make sure assertions are signed - don't crash when parsing saml:AttributeValue with xsi:type set
Lasso is a free software C library aiming to implement the Liberty Alliance standards: ID-FF, ID-WSF and SAML. It defines processes for federated identities, single sign-on and related protocols. Lasso is built on top of libxml2, XMLSec and OpenSSL and is GPL licensed.
Initial revision